1 / 24

Auditing Compliance with a Hippocratic Database

Auditing Compliance with a Hippocratic Database. Javier Salinas Martín. Outline. Introduction System architecture: Logs Audits Audit queries Performance. Introduction. Responsibly managing privacy sensitive data is mandatory Approaches: Physically logging the results of each query

karik
Télécharger la présentation

Auditing Compliance with a Hippocratic Database

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing Compliance with a Hippocratic Database Javier Salinas Martín

  2. Outline • Introduction • System architecture: • Logs • Audits • Audit queries • Performance

  3. Introduction • Responsibly managing privacy sensitive data is mandatory • Approaches: • Physically logging the results of each query • New system to audit whether the database executed a query in the past that accessed private data

  4. System properties • Non-disruptive • Fast and precise • Fine-grained • Convenient

  5. System architecture

  6. Logs • Query log: timestamp, user ID • Temporal extensions: for each table T, a backlog table Tb is created • Time stamped • Interval stamped

  7. Time stamped organization • A tuple in Tb has two additional columns: • TS: time of storage • OP: operation {‘insert’, ‘delete’, ‘update’} • Triggers are used to capture updates • Recover state of T at time τ: take a snapshot

  8. Interval stamped organization • Period of time for wich each tuple was alive: • TS: time of storage • TE: end time • Insert trigger adds t to Tb, setting TE to null • Update trigger searches for tuple b such that b.P=t.P and b.TE=null and sets b.TE to the current time and inserts new tuple t • Delete trigger searches for tuple b such that b.P=t.P and b.TE=null and sets b.TE to the current time

  9. Audit expressions • Identical to that of a select query • No disctinct in the select list • “Audit” replaces “Select” • U: cross product of all the base tables in the database • Cells that satisfy the expression are marked in U

  10. Schema used for examples

  11. Example of audit expression • Audit if the disease information of anybody living in the ZIP code 95120 was diclosed • Cells corresponding to the disease column of those tuples in the Customer x Treatment table that have c.cid=t.pcid and c.zip = 95120 are marked

  12. Some definitions Tuple t, Query Q, Audit A • Indispensable tuple: omitting t makes a difference on Q • Candidate query: Q accesses all columns A specifies in its audit list • Suspicious query: Q and A share an indispensable tuple

  13. Example 1 • Q is a candidate query with respect to A • Q is suspicious with respect to A if there is a customer who lived in the ZIP code 95120 and was treated for diabetes

  14. Example 2 • Q is not suspicious with respect to A • Anyone who looks at the output of the query will not learn that Alice has cancer

  15. System architecture

  16. Audit query generation • Full audit expression • Two steps: • Static analysis: select candidate queries from the query log • Audit query generation: augment every candidate query with information from the audit expression and combine them into an audit query that unions their output

  17. Static analysis • Select candidate queries • Four steps: • Check whether Q is a candidate query • Check whether timestamp of Q is out of range • Check whether the purpose-recipient pair of Q matches any of the purpose-recipient specified in the otherthan clause of A • Check for contradictions between predicates • Set of candidate queries Q= {Q1,…,Qn}

  18. Audit Query Generation • Augment every Qi with A • Result is another query AQi, defined against the backlog database at time τi • τi is the timestamp of Qi as recorded in the query log • All AQi are combined into one AQ audit query whose output is the union of the output of the individual AQi • AQ is executed against the backlog database

  19. Audit Query Generation example • Example:

  20. Audit Query Generation example

  21. Audit Query Generation example

  22. Performance • Cost of maintaining backlog tables

  23. Performance • Execution time of an audit query

  24. Questions?

More Related